Oversight

GAO: Mixed results thus far implementing FISMA

concept cybersecurity art

Federal agencies have improved compliance with information security requirements under the Federal Information Security Act , but checking all the boxes has not translated into taking full advantage of the enhancements that are available,  according to a Government Accountability Office report issued to Congress Sept. 26.

The report suggests that most of the 24 major federal agencies established many of the eight key information security program components laid forth by FISMA in fiscal 2012, but only partially fulfilled others. GAO evaluated its previous information security reports, the Office of Management and Budget's annual reports to Congress on FISMA implementation, reports from inspectors general and individual agency reports during the course of its review.

IG reports show the number of agencies that analyzed, validated and documented security incidents increased from 16 to 19 in the past fiscal year, but the number of agencies able to track identified weaknesses actually declined.

GAO states that all but one of the 24 major federal agencies had weaknesses in security controls intended to limit or detect access to computer resources.

In the report, OMB attributed the decline to "agencies not updating their policies and procedures after new federal requirements are established or new technologies are deployed."

In summary, agencies have seen some progress in FISMA implementation, but major weaknesses persist.

"Notwithstanding the mixed progress made, GAO and inspectors general continue to identify weaknesses in agencies' information security programs and make recommendations to mitigate the weaknesses identified," the GAO report states. "In addition, OMB and (the Department of Homeland Security) continued to develop reporting metrics and assist agencies in improving their information security programs; however, the metrics do not evaluate all FISMA requirements, focused mainly on compliance rather than effectiveness of controls, and in many cases did not identify specific performance targets for determining levels of implementation."

GAO's report culminates with recommendations to OMB and DHS to "develop compliance metrics related to periodic assessments of risk and development of subordinate security plans" and to develop better metrics for IGs to report on the effectiveness of agency information security programs.

OMB agreed with the recommendations but did not provide any comment, while DHS provided a written response indicating action it plans to take.

About the Author

Frank Konkel is a former staff writer for FCW.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.